Links

SentinelOne Logs

Connecting SentinelOne Cloud Funnel logs to your Panther Console

Overview

Panther supports the following log types from SentinelOne:

How to onboard SentinelOne API Activity logs to Panther

The instructions below apply to SentinelOne API Activity logs. For instructions on how to onboard SentinelOne Cloud Funnel logs, see the next section: How to onboard SentinelOne Deep Visibility logs to Panther.
Panther's support for SentinelOne API Activity logs is currently in open beta. Please share any bug reports and feature requests with your Panther support team.

Prerequisites

  • You will need an API Token from a Service User that has the Viewer role in your SentinelOne account.

Create a SentinelOne Service User + API Token

  1. 1.
    Log in to your SentinelOne Dashboard.
  2. 2.
    In the left sidebar menu, click Settings.
  3. 3.
    At the top of the Settings page, click the Users tab.
    In SentinelOne, the Settings icon is highlighted in the left sidebar menu and the "Users" tab is circled at the top.
  4. 4.
    On the left side of the Users page, click Service Users.
  5. 5.
    Click the Actions dropdown, then click Create New Service User.
    On the Settings page, "Service Users" is highlighted on the left. The Actions dropdown menu is expanded, and the "Create New Service User" option is highlighted.
  6. 6.
    On the "Create New Service User" page, enter a name and a description, choose an expiration date, then click Next.
    The "Create a new service user" page has fields for Name and Description, and a dropdown menu to choose an expiration date.
  7. 7.
    On the "Select Scope of Access" page, configure the following:
    • Access Level: Account
    • Account selected: Ensure you have selected the correct account and that the role is set to Viewer.
  8. 8.
    Click Create User.
  9. 9.
    Copy the API Token and store it in a secure location, as you will need to provide to Panther in the next part of the log source onboarding process.

Create a new SentinelOne API source in Panther

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar menu, click Configure > Log Sources.
  3. 3.
    Click Create New.
  4. 4.
    Select SentinelOne API from the list of available log sources. Click Start Source Setup.
  5. 5.
    Configure the SentinelOne API source:
    • Name: Enter a descriptive name for the source, e.g., SentinelOne API
    • SentinelOne API Organization: Enter the subdomain of your SentinelOne account. To find this value, log in to your SentinelOne Dashboard and copy the subdomain from the URL.
      • For example, if your dashboard URL is https://example-domain.sentinelone.net/dashboard, your subdomain would be example-domain.
    • API Token: Enter the token of your Service User that you copied in the previous steps of this documentation.
  6. 6.
    Click Setup.
  7. 7.
    You will be directed to a confirmation screen where you can set up a log drop-off alarm.
    • This feature sends an error message if logs aren't received within a specified time interval.
  8. 8.
    Click Finish Setup.

How to onboard SentinelOne Cloud Funnel Deep Visibility logs to Panther

  1. 1.
    Set up your Data Transport in the Panther Console.
  2. 2.
    Configure SentinelOne to push logs to the Data Transport source.

Supported log types

Required fields in the schema are listed as "required: true" just below the "name" field.

SentinelOne.Activity

Activity events from the SentinelOne API.
schema: SentinelOne.Activity
parser:
native:
name: SentinelOne.Activity
description: Get the activities, and their data, that match the filters. We recommend that you set some values for the filters.
referenceURL: https://usea1-partners.sentinelone.net/api-doc/api-details?category=activities&api=get-activities
fields:
- name: accountId
description: Account id
type: string
- name: accountName
description: Account Name
type: string
- name: activityType
required: true
description: Activity Type
type: int
- name: activityUuid
description: Activity UUID
type: string
- name: agentId
description: Related Agent Id
type: string
- name: agentUpdatedVersion
description: Agents updated version
type: string
- name: comments
description: Comments
type: string
- name: createdAt
description: Activity creation time (UTC)
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: data
description: Event specific data. It can have following possible fields accountid, accountname, action, actoralternateid, agentipv4, alertid, alertprocessname, alertscounter, application, applicationtype, attr, bundlemessage, byuser, changedkeys, commandbatchuuid, commandid, computername, confidencelevel, createdat, createdbyusername, current, datasourcename, deactivationperiodindays, description, detectedat, direction, disabledlevel, dnsrequest, dnsresponse, downloadurl, dstip, dstport, dveventid, dveventtype, email, enabledreason, error, escapedmaliciousprocessarguments, eventcategory, eventdetails, eventexternalid, eventtime, exclusiontype, expiration, expirationmessage, expirydatestr, expirytime, externalip, externalip, externalthreatvalue, filecontenthash, filedisplayname, filename, filepath, fullscopedetails, fullscopedetailspath, group, groupid, groupname, grouptype, indicatorcategory, indicatordescription, indicatorname, initiatedbyname, ipaddress, k8sclustername, k8scontainerid, k8scontainerimage, k8scontainerlabels, k8scontainername, k8scontrollerkind, k8scontrollerlabels, k8scontrollername, k8snamespace, k8snamespacelabels, k8snode, k8spod, k8spodlabels, key, licensesdescription, localhost, localhosttype, localports, localporttype, locationnames, loginaccountdomain, loginaccountsid, loginisadministratorequivalent, loginissuccessful, loginsusername, logintype, majorversion, minorversion, modulemessage, modulepath, modulesha1, namechange, namemessage, neteventdirection, networkquarantine, newincidentstatus, newincidentstatustitle, newstatus, newvalue, noteaction, notedetails, oldaccountname, olddescription, oldincidentstatus, oldincidentstatustitle, oldkey, oldrulename, oldsitename, oldstatus, oldvalue, optionalgroups, order, origagentmachinetype, origagentmachinetype, origagentname, origagentname, origagentosfamily, origagentosfamily, origagentosname, origagentosname, origagentosrevision, origagentosrevision, origagentsiteid, origagentuuid, origagentuuid, origagentversion, origagentversion, originalstatus, osarch, osfamily, ostypes, packageid, physical, platformtype, policy, policyname, previous, protocol, reason, recoveryemail, registrykeypath, registryoldvalue, registryoldvaluetype, registrypath, registryvalue, remotehost, remotehosttype, remoteports, remoteporttype, reportlog, reportmgmt, role, rolename, rulecreationtime, ruledescription, ruleexpirationmode, ruleid, rulename, rulequerydetails, rulequerytype, rulescopeid, rulescopelevel, ruleseverity, scopeid, scopelevel, scopelevelname, scopename, setting, settingmessage, severity, siteexpiration, siteid, sitename, source, sourcename, sourceparentprocesscommandline, sourceparentprocessintegritylevel, sourceparentprocesskey, sourceparentprocessmd5, sourceparentprocessname, sourceparentprocesspath, sourceparentprocesspid, sourceparentprocesssha1, sourceparentprocesssha256, sourceparentprocesssigneridentity, sourceparentprocessstarttime, sourceparentprocessstoryline, sourceparentprocesssubsystem, sourceparentprocessusername, sourceprocesscommandline, sourceprocessfilehashmd5, sourceprocessfilehashsha1, sourceprocessfilehashsha256, sourceprocessfilepath, sourceprocessfilesigneridentity, sourceprocessintegritylevel, sourceprocesskey, sourceprocesskey, sourceprocessmd5, sourceprocessname, sourceprocesspid, sourceprocesssha1, sourceprocesssha256, sourceprocessstarttime, sourceprocessstoryline, sourceprocesssubsystem, sourceprocessusername, srcip, srcmachineip, srcport, status, storyline, system, systemuser, tagid, tagnames, tags, tgtfilecreatedat, tgtfilehashsha1, tgtfilehashsha256, tgtfileid, tgtfileissigned, tgtfilemodifiedat, tgtfileoldpath, tgtfilepath, tgtproccmdline, tgtprocessstarttime, tgtprocimagepath, tgtprocintegritylevel, tgtprocname, tgtprocpid, tgtprocsignedstatus, tgtprocstorylineid, tgtprocuid, threatalreadyexists, threatclassification, threatclassificationsource, tiindicatorcomparisonmethod, tiindicatorsource, tiindicatortype, tiindicatorvalue, treatasthreat, type, updatedescriptionmessage, updatenameanddescriptionmessage, updatenamemessage, uploadedfilename, userid, username, userscope, uuid, value, version
type: json
- name: description
description: Event description
type: string
- name: groupId
description: Related group id
type: string
- name: groupName
description: Related group name
type: string
- name: hash
description: Threat file hash
type: string
- name: id
required: true
description: Activity id
type: string
indicators:
- trace_id
- name: osFamily
description: Agent's OS type
type: string
- name: primaryDescription
description: Primary activity description
type: string
- name: secondaryDescription
description: Secondary activity description
type: string
- name: siteId
description: Related site id
type: string
- name: siteName
description: Related site name
type: string
- name: threatId
description: Related threat id
type: string
- name: updatedAt
description: Activity last updated time (UTC)
type: timestamp
timeFormats:
- rfc3339
- name: userId
description: User who invoked the activity
type: string

SentinelOne.DeepVisibility2

Deep Visibility 2.0 events from the SentinelOne services.
schema: SentinelOne.DeepVisibilityV2
description: Deep Visibility events from the SentinelOne Cloud Funnel 2.0 service
referenceURL: https://support.sentinelone.com/hc/en-us/articles/4409020727575
fields:
- name: timestamp
description: Timestamp field
type: timestamp
timeFormats:
- rfc3339
- name: dataSource.category
description: DataSourceCategory field
type: string
- name: dataSource.name
description: DataSourceName field
type: string
- name: endpoint.name
description: EndpointName field
type: string
- name: endpoint.os
description: EndpointOs field
type: string
- name: endpoint.type
description: EndpointType field
type: string
- name: agent.uuid
description: AgentUuid field
type: string
- name: agent.version
description: AgentVersion field
type: string
- name: site.name
description: SiteName field
type: string
- name: site.id
description: SiteId field
type: string
- name: event.category
description: EventCategory field
type: string
- name: event.type
description: EventType field
type: string
- name: event.time
required: true
description: EventTime field
type: timestamp
timeFormats:
- unix_ms
isEventTime: true
- name: event.id
description: EventId field
type: string
- name: event.repetitionCount
description: EventRepetitionCount field
type: bigint
- name: src.process.name
description: SrcProcessName field
type: string
- name: src.process.storyline.id
description: SrcProcessStorylineId field
type: string
- name: src.process.cmdline
description: SrcProcessCmdline field
type: string
- name: src.process.user
description: SrcProcessUser field
type: string
- name: src.process.startTime
description: SrcProcessStartTime field
type: timestamp
timeFormats:
- unix_ms
- name: src.process.image.path
description: SrcProcessImagePath field
type: string
- name: src.process.image.extension
description: SrcProcessImageExtension field
type: string
- name: src.process.image.size
description: SrcProcessImageSize field
type: bigint
- name: src.process.userSid
description: SrcProcessUserSid field
type: string
- name: src.process.pid
description: SrcProcessPid field
type: bigint
- name: src.process.displayName
description: SrcProcessDisplayName field
type: string
- name: src.process.uid
description: SrcProcessUid field
type: string
- name: src.process.image.binaryIsExecutable
description: SrcProcessImageBinaryIsExecutable field
type: boolean
- name: src.process.integrityLevel
description: SrcProcessIntegrityLevel field
type: string
- name: src.process.signedStatus
description: SrcProcessSignedStatus field
type: string
- name: src.process.publisher
description: SrcProcessPublisher field
type: string
- name: src.process.verifiedStatus
description: SrcProcessVerifiedStatus field
type: string
- name: src.process.reasonSignatureInvalid
description: SrcProcessReasonSignatureInvalid field
type: string
- name: src.process.image.sha1
description: SrcProcessImageSha1 field
type: string
indicators:
- sha1
- name: src.process.image.md5
description: SrcProcessImageMd5 field
type: string
indicators:
- md5
- name: src.process.image.sha256
description: SrcProcessImageSha256 field
type: string
indicators:
- sha256
- name: src.process.subsystem
description: SrcProcessSubsystem field
type: string
- name: src.process.sessionId
description: SrcProcessSessionId field
type: bigint
- name: src.process.isNative64Bit
description: SrcProcessIsNative64Bit field
type: boolean
- name: src.process.isRedirectCmdProcessor
description: SrcProcessIsRedirectCmdProcessor field
type: boolean
- name: src.process.isStorylineRoot
description: SrcProcessIsStorylineRoot field
type: boolean
- name: src.process.activeContentType
description: SrcProcessActiveContentType field
type: string
- name: src.process.activeContent.id
description: SrcProcessActiveContentId field
type: string
- name: src.process.activeContent.path
description: SrcProcessActiveContentPath field
type: string
- name: src.process.activeContent.hash
description: SrcProcessActiveContentHash field
type: string
indicators:
- sha1
- name: src.process.activeContent.signedStatus
description: SrcProcessActiveContentSignedStatus field
type: string
- name: src.process.rpid
description: SrcProcessRpid field
type: bigint
- name: src.process.tid
description: SrcProcessTid field
type: bigint
- name: src.process.image.location
description: SrcProcessImageLocation field
type: string
- name: src.process.image.uid
description: SrcProcessImageUid field
type: string
- name: src.process.image.originalFileName
description: SrcProcessImageOriginalFileName field
type: string
- name: src.process.image.description
description: SrcProcessImageDescription field
type: string
- name: src.process.image.internalName
description: SrcProcessImageInternalName field
type: string
- name: src.process.image.productName
description: SrcProcessImageProductName field
type: string
- name: src.process.image.productVersion
description: SrcProcessImageProductVersion field
type: string
- name: src.process.image.type
description: SrcProcessImageType field
type: string
- name: cmdScript.content
description: CmdScriptContent field
type: string
- name: cmdScript.isComplete
description: CmdScriptIsComplete field
type: boolean
- name: cmdScript.sha256
description: CmdScriptSha256 field
type: string
indicators:
- sha256
- name: cmdScript.originalSize
description: CmdScriptOriginalSize field
type: bigint
- name: cmdScript.applicationName
description: CmdScriptApplicationName field
type: string
- name: osSrc.process.name
description: OsSrcProcessName field
type: string
- name: osSrc.process.storyline.id
description: OsSrcProcessStorylineId field
type: string
- name: osSrc.process.cmdline
description: OsSrcProcessCmdline field
type: string
- name: osSrc.process.user
description: OsSrcProcessUser field
type: string
- name: osSrc.process.startTime
description: OsSrcProcessStartTime field
type: timestamp
timeFormats:
- unix_ms
- name: osSrc.process.image.path
description: OsSrcProcessImagePath field
type: string
- name: osSrc.process.pid
description: OsSrcProcessPid field
type: bigint
- name: osSrc.process.displayName
description: OsSrcProcessDisplayName field
type: string
- name: osSrc.process.uid
description: OsSrcProcessUid field
type: string
- name: osSrc.process.image.binaryIsExecutable
description: OsSrcProcessImageBinaryIsExecutable field
type: boolean
- name: osSrc.process.integrityLevel
description: OsSrcProcessIntegrityLevel field
type: string
- name: osSrc.process.signedStatus
description: OsSrcProcessSignedStatus field
type: string
- name: osSrc.process.publisher
description: OsSrcProcessPublisher field
type: string
- name: osSrc.process.verifiedStatus
description: OsSrcProcessVerifiedStatus field
type: string
- name: osSrc.process.image.sha1
description: OsSrcProcessImageSha1 field
type: string
indicators:
- sha1
- name: osSrc.process.image.md5
description: OsSrcProcessImageMd5 field
type: string
indicators:
- md5
- name: osSrc.process.image.sha256
description: OsSrcProcessImageSha256 field
type: string
indicators:
- sha256
- name: osSrc.process.subsystem
description: OsSrcProcessSubsystem field
type: string
- name: osSrc.process.sessionId
description: OsSrcProcessSessionId field
type: bigint
- name: osSrc.process.isNative64Bit
description: OsSrcProcessIsNative64Bit field
type: boolean
- name: osSrc.process.isRedirectCmdProcessor
description: OsSrcProcessIsRedirectCmdProcessor field
type: boolean
- name: osSrc.process.isStorylineRoot
description: OsSrcProcessIsStorylineRoot field
type: boolean
- name: osSrc.process.activeContentType
description: OsSrcProcessActiveContentType field
type: string
- name: osSrc.process.activeContent.id
description: OsSrcProcessActiveContentId field
type: string
- name: osSrc.process.activeContent.path
description: OsSrcProcessActiveContentPath field
type: string
- name: osSrc.process.activeContent.hash
description: OsSrcProcessActiveContentHash field
type: string
indicators:
- sha1
- name: osSrc.process.activeContent.signedStatus
description: OsSrcProcessActiveContentSignedStatus field
type: string
- name: osSrc.process.reasonSignatureInvalid
description: OsSrcProcessReasonSignatureInvalid field
type: string
- name: osSrc.process.crossProcessCount
description: OsSrcProcessCrossProcessCount field
type: bigint
- name: osSrc.process.crossProcessOutOfStorylineCount
description: OsSrcProcessCrossProcessOutOfStorylineCount field
type: bigint
- name: osSrc.process.crossProcessDupRemoteProcessHandleCount
description: OsSrcProcessCrossProcessDupRemoteProcessHandleCount field
type: bigint
- name: osSrc.process.crossProcessDupThreadHandleCount
description: OsSrcProcessCrossProcessDupThreadHandleCount field
type: bigint
- name: osSrc.process.crossProcessOpenProcessCount
description: OsSrcProcessCrossProcessOpenProcessCount field
type: bigint
- name: osSrc.process.crossProcessThreadCreateCount
description: OsSrcProcessCrossProcessThreadCreateCount field
type: bigint
- name: osSrc.process.netConnCount
description: OsSrcProcessNetConnCount field
type: bigint
- name: osSrc.process.netConnInCount
description: OsSrcProcessNetConnInCount field
type: bigint
- name: osSrc.process.netConnOutCount
description: OsSrcProcessNetConnOutCount field
type: bigint
- name: osSrc.process.dnsCount
description: OsSrcProcessDnsCount field
type: bigint
- name: osSrc.process.tgtFileModificationCount
description: OsSrcProcessTgtFileModificationCount field
type: bigint
- name: osSrc.process.tgtFileCreationCount
description: OsSrcProcessTgtFileCreationCount field
type: bigint
- name: osSrc.process.tgtFileDeletionCount
description: OsSrcProcessTgtFileDeletionCount field
type: bigint
- name: osSrc.process.registryChangeCount
description: OsSrcProcessRegistryChangeCount field
type: bigint
- name: osSrc.process.indicatorBootConfigurationUpdateCount
description: OsSrcProcessIndicatorBootConfigurationUpdateCount field
type: bigint
- name: osSrc.process.indicatorEvasionCount
description: OsSrcProcessIndicatorEvasionCount field
type: bigint
- name: osSrc.process.indicatorExploitationCount
description: OsSrcProcessIndicatorExploitationCount field
type: bigint
- name: osSrc.process.indicatorGeneral.count
description: OsSrcProcessIndicatorGeneralCount field
type: bigint
- name: osSrc.process.indicatorInfostealerCount
description: OsSrcProcessIndicatorInfostealerCount field
type: bigint
- name: osSrc.process.indicatorInjectionCount
description: OsSrcProcessIndicatorInjectionCount field
type: bigint
- name: osSrc.process.indicatorPersistenceCount
description: OsSrcProcessIndicatorPersistenceCount field
type: bigint
- name: osSrc.process.indicatorPostExploitationCount
description: OsSrcProcessIndicatorPostExploitationCount field
type: bigint
- name: osSrc.process.indicatorRansomwareCount
description: OsSrcProcessIndicatorRansomwareCount field
type: bigint
- name: osSrc.process.indicatorReconnaissanceCount
description: OsSrcProcessIndicatorReconnaissanceCount field
type: bigint
- name: osSrc.process.childProcCount
description: OsSrcProcessChildProcCount field
type: bigint
- name: osSrc.process.moduleCount
description: OsSrcProcessModuleCount field
type: bigint
- name: osSrc.process.image.type
description: OsSrcProcessImageType field
type: string
- name: osSrc.process.image.extension
description: OsSrcProcessImageExtension field
type: string
- name: osSrc.process.image.size
description: OsSrcProcessImageSize field
type: bigint
- name: osSrc.process.image.location
description: OsSrcProcessImageLocation field
type: string
- name: osSrc.process.image.uid
description: OsSrcProcessImageUid field
type: string
- name: osSrc.process.image.signature.isValid
description: OsSrcProcessImageSignatureIsValid field
type: boolean
- name: osSrc.process.userSid
description: OsSrcProcessUserSid field
type: string
- name: src.process.parent.name
description: SrcProcessParentName field
type: string
- name: src.process.parent.storyline.id
description: SrcProcessParentStorylineId field
type: string
- name: src.process.parent.cmdline
description: SrcProcessParentCmdline field
type: string
- name: src.process.parent.user
description: SrcProcessParentUser field
type: string
- name: src.process.parent.startTime
description: SrcProcessParentStartTime field
type: timestamp
timeFormats:
- unix_ms
- name: src.process.parent.image.path
description: SrcProcessParentImagePath field
type: string
- name: src.process.parent.displayName
description: SrcProcessParentDisplayName field
type: string
- name: src.process.parent.uid
description: SrcProcessParentUid field
type: string
- name: src.process.parent.integrityLevel
description: SrcProcessParentIntegrityLevel field
type: string
- name: src.process.parent.signedStatus
description: SrcProcessParentSignedStatus field
type: string
- name: src.process.parent.publisher
description: SrcProcessParentPublisher field
type: string
- name: src.process.parent.image.sha1
description: SrcProcessParentImageSha1 field
type: string
indicators:
- sha1
- name: src.process.parent.image.md5
description: SrcProcessParentImageMd5 field
type: string
indicators:
- md5
- name: src.process.parent.image.sha256
description: SrcProcessParentImageSha256 field
type: string
indicators:
- sha256
- name: src.process.parent.sessionId
description: SrcProcessParentSessionId field
type: bigint
- name: src.process.parent.isNative64Bit
description: SrcProcessParentIsNative64Bit field
type: boolean
- name: src.process.parent.isRedirectCmdProcessor
description: SrcProcessParentIsRedirectCmdProcessor field
type: boolean
- name: src.process.parent.isStorylineRoot
description: SrcProcessParentIsStorylineRoot field
type: boolean
- name: src.process.parent.pid
description: SrcProcessParentPid field
type: bigint
- name: src.process.parent.image.type
description: SrcProcessParentImageType field
type: string
- name: src.process.parent.image.extension
description: SrcProcessParentImageExtension field
type: string
- name: src.process.parent.image.size
description: SrcProcessParentImageSize field
type: bigint
- name: src.process.parent.image.location
description: SrcProcessParentImageLocation field
type: string
- name: src.process.parent.image.uid
description: SrcProcessParentImageUid field
type: string
- name: src.process.parent.image.signature.isValid
description: SrcProcessParentImageSignatureIsValid field
type: boolean
- name: src.process.parent.userSid
description: SrcProcessParentUserSid field
type: string
- name: src.process.parent.image.binaryIsExecutable
description: SrcProcessParentImageBinaryIsExecutable field
type: boolean
- name: osSrc.process.parent.name
description: OsSrcProcessParentName field
type: string
- name: osSrc.process.parent.storyline.id
description: OsSrcProcessParentStorylineId field
type: string
- name: osSrc.process.parent.cmdline
description: OsSrcProcessParentCmdline field
type: string
- name: osSrc.process.parent.user
description: OsSrcProcessParentUser field
type: string
- name: osSrc.process.parent.startTime
description: OsSrcProcessParentStartTime field
type: timestamp
timeFormats:
- unix_ms
- name: osSrc.process.parent.image.path
description: OsSrcProcessParentImagePath field
type: string
- name: osSrc.process.parent.pid
description: OsSrcProcessParentPid field
type: bigint
- name: osSrc.process.parent.uid
description: OsSrcProcessParentUid field
type: string
- name: osSrc.process.parent.image.sha1
description: OsSrcProcessParentImageSha1 field
type: string
indicators:
- sha1
- name: osSrc.process.parent.image.md5
description: OsSrcProcessParentImageMd5 field
type: string
indicators:
- md5
- name: osSrc.process.parent.image.sha256
description: OsSrcProcessParentImageSha256 field
type: string
indicators:
- sha256
- name: osSrc.process.parent.displayName
description: OsSrcProcessParentDisplayName field
type: string
- name: osSrc.process.parent.integrityLevel
description: OsSrcProcessParentIntegrityLevel field
type: string
- name: osSrc.process.parent.signedStatus
description: OsSrcProcessParentSignedStatus field
type: string
- name: osSrc.process.parent.publisher
description: OsSrcProcessParentPublisher field
type: string
- name: osSrc.process.parent.reasonSignatureInvalid
description: OsSrcProcessParentReasonSignatureInvalid field
type: string
- name: osSrc.process.parent.sessionId
description: OsSrcProcessParentSessionId field
type: bigint
- name: osSrc.process.parent.isNative64Bit
description: OsSrcProcessParentIsNative64Bit field
type: boolean
- name: osSrc.process.parent.isRedirectCmdProcessor
description: OsSrcProcessParentIsRedirectCmdProcessor field
type: boolean
- name: osSrc.process.parent.isStorylineRoot
description: OsSrcProcessParentIsStorylineRoot field
type: boolean
- name: osSrc.process.parent.activeContentType
description: OsSrcProcessParentActiveContentType field
type: string
- name: osSrc.process.parent.activeContent.id
description: OsSrcProcessParentActiveContentId field
type: string
- name: osSrc.process.parent.activeContent.path
description: OsSrcProcessParentActiveContentPath field
type: string
- name: osSrc.process.parent.activeContent.hash
description: OsSrcProcessParentActiveContentHash field
type: string
indicators:
- sha1
- name: osSrc.process.parent.activeContent.signedStatus
description: OsSrcProcessParentActiveContentSignedStatus field
type: string
- name: osSrc.process.parent.image.type
description: OsSrcProcessParentImageType field
type: string
- name: osSrc.process.parent.image.extension
description: OsSrcProcessParentImageExtension field
type: string
- name: osSrc.process.parent.image.size
description: OsSrcProcessParentImageSize field
type: bigint
- name: osSrc.process.parent.image.location
description: OsSrcProcessParentImageLocation field
type: string
- name: osSrc.process.parent.image.uid
description: OsSrcProcessParentImageUid field
type: string
- name: osSrc.process.parent.image.signature.isValid
description: OsSrcProcessParentImageSignatureIsValid field
type: boolean
- name: osSrc.process.parent.userSid
description: OsSrcProcessParentUserSid field
type: string
- name: osSrc.process.parent.image.binaryIsExecutable
description: OsSrcProcessParentImageBinaryIsExecutable field
type: boolean
- name: osSrc.process.parent.subsystem
description: OsSrcProcessParentSubsystem field
type: string
- name: tgt.process.name
description: TgtProcessName field
type: string
- name: tgt.process.relation
description: TgtProcessRelation field
type: string
- name: tgt.process.storyline.id
description: TgtProcessStorylineId field
type: string
- name: tgt.process.cmdline
description: TgtProcessCmdline field
type: string
- name: tgt.process.user
description: TgtProcessUser field
type: string
- name: tgt.process.startTime
description: TgtProcessStartTime field
type: timestamp
timeFormats:
- unix_ms
- name: tgt.process.image.path
description: TgtProcessImagePath field
type: string
- name: tgt.process.pid
description: TgtProcessPid field
type: bigint
- name: tgt.process.displayName
description: TgtProcessDisplayName field
type: string
- name: tgt.process.uid
description: TgtProcessUid field
type: string
- name: tgt.process.image.binaryIsExecutable
description: TgtProcessImageBinaryIsExecutable field
type: boolean
- name: tgt.process.integrityLevel
description: TgtProcessIntegrityLevel field
type: string
- name: tgt.process.signedStatus
description: TgtProcessSignedStatus field
type: string
- name: tgt.process.publisher
description: TgtProcessPublisher field
type: string
- name: tgt.process.verifiedStatus
description: TgtProcessVerifiedStatus field
type: string
- name: tgt.process.reasonSignatureInvalid
description: TgtProcessReasonSignatureInvalid field
type: string
- name: tgt.process.image.sha1
description: TgtProcessImageSha1 field
type: string
indicators:
- sha1
- name: tgt.process.image.md5
description: TgtProcessImageMd5 field
type: string
indicators:
- md5
- name: tgt.process.image.sha256
description: TgtProcessImageSha256 field
type: string
indicators:
- sha256
- name: tgt.process.subsystem
description: TgtProcessSubsystem field
type: string
- name: tgt.process.sessionId
description: TgtProcessSessionId field
type: bigint
- name: tgt.process.isNative64Bit
description: TgtProcessIsNative64Bit field
type: boolean
- name: tgt.process.isRedirectCmdProcessor
description: TgtProcessIsRedirectCmdProcessor field
type: boolean
- name: tgt.process.isStorylineRoot
description: TgtProcessIsStorylineRoot field
type: boolean
- name: tgt.process.activeContentType
description: TgtProcessActiveContentType field
type: string
- name: tgt.process.activeContent.id
description: TgtProcessActiveContentId field
type: string
- name: tgt.process.activeContent.path
description: TgtProcessActiveContentPath field
type: string
- name: tgt.process.activeContent.hash
description: TgtProcessActiveContentHash field
type: string
indicators:
- sha1
- name: tgt.process.activeContent.signedStatus
description: TgtProcessActiveContentSignedStatus field
type: string
- name: src.process.crossProcessCount
description: SrcProcessCrossProcessCount field
type: bigint
- name: tgt.process.accessRights
description: TgtProcessAccessRights field
type: bigint
- name: tgt.process.image.uid
description: TgtProcessImageUid field
type: string
- name: tgt.process.image.extension
description: TgtProcessImageExtension field
type: string
- name: tgt.process.image.size
description: TgtProcessImageSize field
type: bigint
- name: tgt.process.completeness.hints
description: TgtProcessCompletenessHints field
type: bigint
- name: tgt.process.userSid
description: TgtProcessUserSid field
type: string
- name: event.processtermination.exitCode
description: EventProcessterminationExitCode field
type: bigint
- name: event.processtermination.signal
description: EventProcessterminationSignal field
type: string
- name: tgt.process.parent.image.type
description: TgtProcessParentImageType field
type: string
- name: tgt.process.parent.image.location
description: TgtProcessParentImageLocation field
type: string
- name: src.process.crossProcessOutOfStorylineCount
description: SrcProcessCrossProcessOutOfStorylineCount field
type: bigint
- name: src.process.crossProcessDupRemoteProcessHandleCount
description: SrcProcessCrossProcessDupRemoteProcessHandleCount field
type: bigint
- name: src.process.crossProcessDupThreadHandleCount
description: SrcProcessCrossProcessDupThreadHandleCount field
type: bigint
- name: src.process.crossProcessOpenProcessCount
description: SrcProcessCrossProcessOpenProcessCount field
type: bigint
- name: src.process.crossProcessThreadCreateCount
description: SrcProcessCrossProcessThreadCreateCount field
type: bigint
- name: src.ip.address
description: SrcIpAddress field
type: string
indicators:
- ip
- name: src.port.number
description: SrcPortNumber field
type: bigint
- name: dst.ip.address
description: DstIpAddress field
type: string
indicators:
- ip
- name: dst.port.number
description: DstPortNumber field
type: bigint
- name: event.network.direction
description: EventNetworkDirection field